677814 - Infrastructure to manage permissions and groups

Status: RESOLVED FIXED

(developer.mozilla.org Graveyard :: Wiki pages, defect, P1)

Description

[John Karahalis [:openjck]]

We will need some kind of interface for manually assigning permissions to users and revoking permissions from them. This type of manual permission control may not be ideal, but it will be necessary until we implement more automated control, like bug 677799 details.

Thoughts?

Comment 1

[Les Orchard [:lorchard]]

Tweaking the title, and here's what I'm planning (copied from bug 768498):

Mostly as a note to myself, but feel free to discuss - I've had a notion to build a django app to support creation and management of "teams":

http://blog.lmorchard.com/2013/02/23/looking-for-a-django-app-to-manage-roles-within-groups

Initially, I'd thought this would be mainly useful for badges.mozilla.org. But, it could also be handy as a self-service tool we use to offer for users to form groups & manage roles and permissions with respect to documents created and managed by group members.

That is, someone could start the "/docs/*/SomeNewProject" subtree of wiki pages and form a "SomeNewProject" team to support it. Only members of that team with the appropriate role-based permissions would be able to edit pages beneath "/docs/*/SomeNewProject". Certain members of the team (ie. starting with the founding member) would have permissions to manage team membership & roles & permissions, etc.

Of course, site-wide admins would still have permission to do anything anywhere, but this could help subdivide responsibilities in an organic way.

Comment 2

[Eric Shepherd [:sheppy]]

That sounds excellent. I would like to be sure that admins can adjust these teams' permissions and membership, of course.

That sounds like a really great way to do things. I love it.

This would also give us a way to set up localization teams where the team leaders may have additional permissions, such as page moving or other potentially sensitive capabilities.

It might be nice if the permissions could also optionally be restricted by locale, so that we could give a localization team lead permission to move pages, but only within their own locale.

Comment 3

[Les Orchard [:lorchard]]

Some progress - I've been working on a django app called "teamwork":

    https://github.com/lmorchard/django-teamwork/

Teamwork adds a bunch of infrastructure for permissions (eg. view, edit, review) granted by per-object policies and by roles on teams that own objects. It's turned into a bigger thing than I'd hoped, but I think it's almost there.

Poking :ubernostrum for some new eyes on this thing, since I'm pretty sure it's very naive with respect to Django. The docs are non-existent so far, but a decent starting point to see what I'm trying to do is in the thick of the tests:

    https://github.com/lmorchard/django-teamwork/blob/master/teamwork/tests/test_backends.py

There's also an included mini-wiki site that I've been using to experiment, which might help show off some features, too.

Comment 4

[James Bennett [:ubernostrum]]

App looks good to me; I've looked through the code a bit and don't see any huge red flags; if anything, might submit a couple little tweak-y pull requests for it down the road.

Comment 5

[Les Orchard [:lorchard]]

I'm not confident as to whether this is production-ready yet, even as an MVP, but I submitted a PR for initial review:

https://github.com/mozilla/kuma/pull/1197

Comment 6

[Les Orchard [:lorchard]]

This was actually merged as groundwork for bug 768498

https://github.com/mozilla/kuma/commit/52806890615ff8be7e1d9c494ebcebb9d956f3b4